Cybersecurity and Healthcare
authors Shelly Bangert
We are building our lives around our wired and wireless networks. The question is, are we ready to work together to defend them? This headline appears on the About Us page of the FBI website, www.fbi.gov, which describes that agency’s efforts to investigate cyber-based terrorism, espionage and computer fraud. The text goes on to describe how the FBI combats cyber-crime and cyber-terrorism by gathering and sharing information with public institutions and private businesses worldwide.
Sharing information and best practices is a fundamental principle in the fight against cyber-crime and terrorism. In 2014, another federal government agency, the National Institute of Standards and Technology (NIST), issued a press release announcing Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.” This 41-page document describes the Cybersecurity Framework for protecting 16 of our nation’s critical infrastructures, including banking, transportation, telecommunications and healthcare.
NIST is not a regulatory body. It is an agency of the Department of Commerce, and its mission is to “promote U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life.”
The NIST Cybersecurity Framework is a collaborative effort between public and private organizations, and its purpose is to provide a set of industry standards and best practices for managing cybersecurity risks.
At this point the Cybersecurity Framework is a voluntary program. The 16 critical infrastructure sectors—including healthcare—are expected to assess their own risks and implement their own best practices. By meeting the guidelines of the framework, organizations may be able to avoid additional federal regulation of cybersecurity.
The framework includes three primary components: Core, Tiers and Profiles. There are five Core functions for reducing cybersecurity risk: Identify, Protect, Detect, Respond and Recover. There are four Tiers of organizational engagement and preparation: Partial, Risk Informed, Repeatable and Adaptive. The Profiles describe the organization’s current state of cybersecurity activities. Each organization is responsible for addressing the Core functions, moving up the Tiers of engagement and developing its own Profiles of goals and outcomes.
The five Core principles describe how an organization should establish practices for 1) identifying its most critical intellectual property and assets, 2) developing and implementing procedures to protect them, 3) having resources in place to recognize a cybersecurity breach, 4) having procedures in place to respond to a breach, and 5) having procedures in place to recover from a breach when one occurs.
There are direct benefits for organizations that respond to the Cybersecurity Framework and implement its components. Proponents of the framework cite benefits such as collaboration, risk reduction, cost savings and improved internal practices.
Additionally, some proponents have observed a benefit related to the demonstration of due care. If, for example, an organization is victimized by hackers or terrorists, its directors may have to defend its security practices to insurance companies, consumers or litigants. Organizations that have implemented the Cybersecurity Framework will be able to demonstrate that they have taken due care to protect their information and assets. According to SEC Commissioner Luis Aguilar, the Cybersecurity Framework has been suggested as a potential baseline for “best practices by companies, including in assessing legal or regulatory exposure to these issues or for insurance purposes.”
The healthcare sector has benefitted greatly from technological improvements in telemedicine, remote diagnosis, record transfers and billing efficiencies, to cite just a few examples. Now it is time to defend the healthcare infrastructure against cyber-attacks from criminals and terrorists.
Shelly Bangert is director of revenue cycle management at Hawthorn Physician Services Corp. in St. Louis. Shelly can be reached at .